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Abstract 

Recently, a quantum key exchange protocol has been described which 
served as basis for securing an actual bank transaction by means of quan- 
tum cryptography jSj. Here we show, that the authentication scheme 
applied is insecure in the sense that an attacker can provoke a situation 
where initiator and responder of a key exchange end up with different 
keys. Moreover, it may happen that an attacker can decrypt a part of the 
plaintext protected with the derived encryption key. 
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1 Introduction 

In April 2004, in Vienna an actual bank transfer was protected by means of a 
one-time-pad-based encryption j8j where the one-time-pad has been derived by 
means of a quantum key exchange using a novel authentication scheme. How- 
ever, as pointed out, e. g., by Raub et al. fTI, using the "textbook version" of a 
one-time-pad for encrypting a bank transfer is not a suitable choice, if the plain- 
text involves no further integrity protection: assume, for instance, the amount 
of money to be transferred is represented as an ASCII string which is XORed 
with the one-time-pad. Then, by just flipping certain bits in the ciphertext, 
an attacker may change the amount of money to be transferred. Similarly, the 
attacker may be able to change the name of the recipient of the money. Thus, 
the one-time-pad encryption should be combined with (unconditionally secure) 
means ensuring the authenticity of the plaintext 7 . However, even a scheme 
modified in this sense would not provide a secure bank transfer: 

In this contribution we describe an attack on the quantum key exchange 
scheme itself that has been used in the Vienna experiment. Due to a flaw in 
the classical authentication part, an attacker may gain access to a part of the 
plaintext later encrypted under an established key. Also she may provoke a 
situation where the participants of the key exchange end up with different keys 
without noticing this. Of course, a trivial denial-of-service-attack ("cutting 
all wires") may also prevent the users from establishing a shared key; but the 
attack presented here is more severe in the sense that both protocol participants 
obtain a key which they might bring to use, as — differing from the "cut the wires 
approach" — the failure of the key exchange remains undetected. 



2 The quantum key exchange scheme used in 
Vienna 



The published version of the quantum key exchange protocol does not describe 
all details of the Vienna experiment. However, for describing our attack this 
is not really necessary, and it is sufhcient to look at the (classical) privacy 
amplification and authentication part. Owing to the attacks described below, 
the published version of these parts of the protocol deviates from the version 
used in the Vienna experiment; from the latter at the time of writing only a 
poster presentation 0] was available to us, and we are indebted to Momtchil Peev 
for kindly providing us with further details 3 . In summary, for establishing a 
common key between Alice and Bob, the following steps are performed: 

• A raw key between Alice and Bob is established by means of polarization- 
entangled photons. 

• In a sifting step, parts of the raw key are discarded based on a public 
discussion between Alice and Bob. 

• Next, the quantum bit error rate is estimated based upon which the pro- 
tocol is either aborted or continued with an error correction step. 

• Hereafter, privacy amplification is performed, based on a matrix sent from 
Alice to Bob. The result of the privacy amplification is the final key, if 
the subsequent authentication step succeeds. 

• Finally, a protocol-log extract is formed from the messages sent through- 
out the protocol so far; the authenticity of this log is checked by means 
of a message authentication procedure. The final key from the privacy 
amplification phase is accepted if and only if this authentication check 
succeeds. 

As already indicated above, for our attack only the last two steps are of impor- 
tance, as only one variant of our attack interferes with the quantum part of the 
protocol. 

Privacy amplification This part of quantum key exchange protocols has 
been introduced by Bennett et al. ^ and is based on a binary rectangular 
matrix Pa with random entries. Multiplying Pa with the raw key yields the 
shorter final key about which the adversary has only negligible information. 
Thus, each row of Pa determines one bit of the final key. 

Protocol-log extract The protocol-log extract is comprised of five parts (and 
has to be identical for Alice and Bob) [3]: 

• the basis for each sifted bit; 

• the positions of the bits disclosed in the process of error estimation; 
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• the estimated error rate; 

• the positions of the bits corrected by the specific error correction routine; 

• the last 128 bits of the jointly generated key (these are subsequently dis- 
carded). 

Note that the only part of the protocol-log extract influenced by the privacy 
amplification matrix are the last 128 bits of the jointly generated key; the privacy 
amplification matrix itself is not explicitly included, and the attack described 
in the next section exploits this. 

3 Cryptanalysis of the scheme 

By construction of the protocol, only 128 rows of the privacy amplification 
matrix Pa affect the protocol-log transcript. The remaining rows of Pa remain 
unauthenticated and hence can be modified by the attacker at will. E.g., she 
can 

• replace all (but the last 128) rows of Pa by random vectors. Consequently, 
the receiver Bob of Pa will end up with a key different from Alice's, but 
neither Alice nor Bob is aware of this fact. In particular, later bringing 
this key to use may result in the failure of an application — even when the 
attacker is not interfering with that application; 

• flip an individual entry in the z-th row of Pa- Then with a success prob- 
ability of ca. 0.5 (namely, if the corresponding bit in the raw key is set) 
she can flip the i-th bit of the key derived by Bob. 

Now suppose that the attacker succeeds in measuring a small number of qubits — 
logarithmic in the total number of qubits sent and assume further that few 
qubits of the sifted key after error correction are known to the attacker (this 
happens with polynomial probability). Then the attacker may proceed as fol- 
lows: She replaces one row of the privacy amplification matrix with a binary 
vector containing ones only at positions corresponding to bits of the sifted and 
error-corrected key she knows. In this way she learns a bit of the final key 
derived by Bob. Consequently, if the key later is used to encrypt a message 
from Bob to Alice by a bit-wise XOR, then the attacker immediately learns 
the respective plaintext bit. In fact, in the proposed form of the key exchange 
protocol, the attacker may use a trivial method for learning the complete key 
derived by Bob: even replacing — up to the last 128 — all rows of the privacy am- 
plification matrix by zero vectors remains undetected and results in the all-zero 
key for Bob. 
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4 Including the privacy amplification matrix in- 
to the protocol-log extract 

From the above discussion it may be tempting to conclude that including the 
complete privacy amplification matrix into the protocol-log extract is sufficient 
for securing the protocol. However, to show that this approach does not offer 
acceptable cryptographic security let us consider a variant of the above protocol 
in which the complete matrix Pa is included in the protocol-log extract and 
authenticated. (We stress that this variant of the protocol has not been proposed 
or used for the Vienna experiment jS]). 

Let us recall the authentication procedure applied in the Vienna experi- 
ment: For authenticating the protocol-log extract M, first it is compressed by 
a publically known cryptographic hash function Hq like SHA-256, and for all 
subsequent computations M is identified with its hash value under Hq. How- 
ever, in the presence of an unlimited adversary such an identification does not 
rule out the following attack: 

• The attacker impersonates Bob and follows the quantum key exchange 
up to the point where Alice sends the authenticated hash i?o(AfA) of her 
protocol- log extract M^- Here the attacker aborts the protocol with Alice. 

• Now, the attacker impersonates Alice and initiates a quantum key ex- 
change with Bob. The attacker follows the protocol up to the point where 
the privacy amplification matrix Pa is to be chosen. 

• Instead of choosing a random Pa , she makes an exhaustive search over all 
possible matrices of the appropriate size to find a matrix which, when 
included in the protocol- log extract, yields the same hash value Ho{Ma) 
as obtained from Alice. Such a P^ exists with overwhelming probability, if 
we model Hq(-) as a random oracle. As there are significantly more degrees 
of freemdom in the privacy amplification matrix than in the typical output 
of a a cryptographic hash function (like, e.g., SHA-256), the existence of 
such a P^ is plausible. 

For actually performing this exhaustive search, the attacker exploits that 
up to the last 128 bits of the final key (which only depend on the data 
collected so far and the privacy amplification matrix), the protocol- log 
extract is completely known. 

• The privacy amplification matrix P^ along with the authenticated hash 
Ho{Ma) obtained from Alice are sent to Bob, who will accept this as a 
valid authentication. 

• The subsequent authentication information from Bob is ignored, and the 
attacker can impersonate Alice in the subsequent use of the final key. 

To avoid the above attacks and ensure that the privacy amplification matrix is 
identical for Alice and Bob, Peev et al. make use of a scheme of Gilbert and 
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Hamrick P] where the privacy amplification matrix is not sent over the pubhc 
channel but derived from previously authenticated data. 

5 Conclusions 

The above discussion shows that in the original form the quantum key exchange 
scheme used in the Vienna protocol ^lE] does not offer acceptable cryptographic 
security. Similarly as the "malleability problem" pointed out by Raub et al. 0, 
our attacks focus on the classical parts of the protocol and provide evidence of 
the importance of classical cryptographic aspects in quantum cryptography. 
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